Nimiq Core-RS Albatross Flaw Exposes Nodes to DoS Attacks

CVE Notify has flagged a critical vulnerability in the Nimiq core-rs-albatross Rust implementation, specifically affecting versions prior to 1.3.0. This bug, identified as CVE-2026-35468, lies within two peer-facing consensus request handlers. These handlers incorrectly assume the history index is always present and attempt to unwrap it directly using blockchain.history_store.history_index().unwrap(). However, the HistoryStoreProxy::history_index() method can legitimately return None when a node is operating in a state without the history index, such as during synchronization.

A remote attacker can exploit this by sending specific requests – RequestTransactionsProof or RequestTransactionReceiptsByAddress – to a node running without the history index. This triggers an Option::unwrap() panic in the request handling path, leading to a denial-of-service condition. CVE Notify confirms that this vulnerability has been patched in version 1.3.0 of core-rs-albatross, addressing the flawed assumption that led to the panic.

The implications are clear: nodes that are not kept up-to-date with the latest patch are susceptible to being taken offline by specially crafted network requests. This highlights the ongoing challenge of maintaining robust consensus mechanisms, especially in decentralized systems where nodes may operate in varied states.